linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Joel Fernandes <joel@joelfernandes.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Alexei Starovoitov <ast@kernel.org>,
	atish patra <atishp04@gmail.com>,
	Daniel Colascione <dancol@google.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Dietmar Eggemann <dietmar.eggemann@arm.com>,
	Guenter Roeck <groeck@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Karim Yaghmour <karim.yaghmour@opersys.com>,
	Kees Cook <keescook@chromium.org>,
	Android Kernel Team <kernel-team@android.com>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	"open list:KERNEL SELFTEST FRAMEWORK" 
	<linux-kselftest@vger.kernel.org>,
	linux-trace-devel@vger.kernel.org,
	Manoj Rao <linux@manojrajarao.com>,
	Masahiro Yamada <yamada.masahiro@socionext.com>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Qais Yousef <qais.yousef@arm.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Shuah Khan <shuah@kernel.org>, Yonghong Song <yhs@fb.com>
Subject: Re: [PATCH v4 1/2] Provide in-kernel headers for making it easy to extend the kernel
Date: Sat, 9 Mar 2019 08:16:48 +0100	[thread overview]
Message-ID: <20190309071648.GE3882@kroah.com> (raw)
In-Reply-To: <CAMuHMdUmnrJtu8bBeUgtiU6y_TLHM27z1WxpPia4dXMpApeijw@mail.gmail.com>

On Fri, Mar 08, 2019 at 06:59:23PM +0100, Geert Uytterhoeven wrote:
> Hi Greg,
> 
> On Fri, Mar 8, 2019 at 6:05 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> > On Fri, Mar 08, 2019 at 05:42:32AM -0800, Joel Fernandes wrote:
> > > On Fri, Mar 8, 2019, 3:53 AM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > > It is just so much easier to use tar + xz at build time, and leave the
> > > > > decompression task to the user. After decompression, the files will live on
> > > > > the disk and the page-cache mechanism will free memory when/if the files fall
> > > > > off the LRUs.
> > > >
> > > > I'm also considering how generic and extensible the solution is.
> > > > What if people need other build artifacts in the future (e.g. signing key to
> > > > load signed modules)?
> > >
> > > That sounds like it could be useful. I don't see any reason off the
> > > top why that would not be possible to add to the list of archived
> > > files in the future. The patch allows populating the list of files
> > > from Kbuild using ikh_file_list variable.
> >
> > Um, no, you don't want the signing key in the kernel itself, as that
> > totally defeats the purpose of the signing key :)
> 
> In a loadable module?
> He who has the module, can build and sign more modules.

Again, that's pretty foolish.

Signing keys should be kept secure, or better yet, just deleted entirely
after creating and signing with them.  That's what I do for my kernels
and I'm pretty sure that some distros also do this.  That way there's no
chance that someone else can sign a module and have it loaded without
detection, which is what signing is supposed to prevent from happening.

thanks,

greg k-h

  reply	other threads:[~2019-03-09  7:16 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-01 16:08 [PATCH v4 1/2] Provide in-kernel headers for making it easy to extend the kernel Joel Fernandes (Google)
2019-03-01 16:08 ` [PATCH v4 2/2] Add selftests for module build using in-kernel headers Joel Fernandes (Google)
2019-03-02 21:59 ` [PATCH v4 1/2] Provide in-kernel headers for making it easy to extend the kernel kbuild test robot
2019-03-03 16:11   ` Joel Fernandes
2019-03-06 12:26     ` Masahiro Yamada
2019-03-06 17:49       ` Joel Fernandes
2019-03-07  4:59         ` Masahiro Yamada
2019-03-07 14:54           ` Joel Fernandes
2019-03-07 23:23       ` Justin Capella
2019-03-06 18:16     ` Joel Fernandes
2019-03-07  4:54       ` Masahiro Yamada
2019-03-03  2:04 ` kbuild test robot
2019-03-04 14:00 ` Qais Yousef
2019-03-05 16:27   ` Joel Fernandes
2019-03-04 22:48 ` Dietmar Eggemann
2019-03-05 16:25   ` Joel Fernandes
2019-03-07  8:58 ` Geert Uytterhoeven
2019-03-07 15:03   ` Joel Fernandes
2019-03-07 15:23     ` Greg KH
2019-03-07 16:54       ` Joel Fernandes
     [not found]       ` <20190318185742.109dee5c@alans-desktop>
2019-03-18 19:11         ` Daniel Colascione
2019-03-18 21:11         ` Karim Yaghmour
2019-03-08  8:53     ` Geert Uytterhoeven
2019-03-08 13:42       ` Joel Fernandes
2019-03-08 13:57         ` Enrico Weigelt, metux IT consult
2019-03-08 14:04           ` Greg KH
2019-03-08 14:02         ` Greg KH
2019-03-08 17:58           ` Joel Fernandes
2019-03-08 17:59           ` Geert Uytterhoeven
2019-03-09  7:16             ` Greg KH [this message]
2019-03-09 11:40               ` Geert Uytterhoeven
2019-03-09 12:11                 ` Greg KH
2019-03-09 16:51                   ` Karim Yaghmour
2019-03-09 19:26                     ` Geert Uytterhoeven
2019-03-09 21:44                       ` Karim Yaghmour
2019-03-11  8:03                         ` Geert Uytterhoeven
2019-03-12 15:15                           ` Karim Yaghmour
2019-03-11 23:36                         ` Steven Rostedt
2019-03-11 23:58                           ` Daniel Colascione
2019-03-12  0:39                             ` Joel Fernandes
2019-03-12  1:28                               ` Steven Rostedt
2019-03-12  1:38                                 ` Joel Fernandes
2019-03-13  1:18                                   ` Masami Hiramatsu
2019-03-14 12:27                                     ` Joel Fernandes
2019-03-15 13:14                                       ` Masami Hiramatsu
2019-03-12  1:45                                 ` Alexei Starovoitov
2019-03-12 15:26                                   ` Steven Rostedt
2019-03-12  1:22                             ` Steven Rostedt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190309071648.GE3882@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=ast@kernel.org \
    --cc=atishp04@gmail.com \
    --cc=corbet@lwn.net \
    --cc=dan.j.williams@intel.com \
    --cc=dancol@google.com \
    --cc=dietmar.eggemann@arm.com \
    --cc=geert@linux-m68k.org \
    --cc=groeck@chromium.org \
    --cc=joel@joelfernandes.org \
    --cc=karim.yaghmour@opersys.com \
    --cc=keescook@chromium.org \
    --cc=kernel-team@android.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-trace-devel@vger.kernel.org \
    --cc=linux@manojrajarao.com \
    --cc=mhiramat@kernel.org \
    --cc=qais.yousef@arm.com \
    --cc=rdunlap@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=shuah@kernel.org \
    --cc=yamada.masahiro@socionext.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).